Sophos Causing Slowness on Macbook Pros with HDDs?

apizz
Valued Contributor

Our faculty have been experiencing significant performance issues on Mid 2012 Macbook Pros with HDDs this year. Logging in takes over 2 minutes, a lot of beachballing, performance when opening applications and multi-tasking is sluggish and slow, and just getting to the point where all menubar items are loaded for a user who has already logged in on a machine takes at least a minute and half or two.

The only major things that are different with our image this year (we are coming from Deploy Studio) in terms of software is Sophos Anti-Virus and TeamViewer. All other software (MS office, Google Chrome, etc.) was present on our image last year.

We've been troubleshooting for a week or two now. As a test, we recently completely removed Sophos. Logging in with an AD user after initial account creation takes less than a minute to load everything, MS Office applications launch in the time it takes for the icon to bounce one or two times in Dock. Definitely a noticeable and substantial performance improvement.

I'm trying to determine if anyone else with Sophos AV installed on machines with HDDs are having similar issues, and if so are there any settings on the Sophos server / policy side of things that you've changed to improve performance?

The only reason we installed Sophos on all our Macs this year was because of our auditors and before we go uninstalling Sophos on everyone's Macs I'd like to at least rule out any particular settings so we can at least continue somewhat protecting our users. My Sys Admin has done some reading and has already turned off Read under On Access Scanning as a test for our users.

Thanks in advance!

8 REPLIES 8

CasperSally
Valued Contributor II

You mean non SSDs?

We have some white macbooks left with the dreaded 5400rpm drives that Sophos was greatly slowing down login speeds on. We delayed the login agent for sophos to start 3-4 minutes after startup to allow the logins (and other startup items) to startup.

This helped a lot at least with login times. We don't notice that big of an issue on our SSD machines.

rcorbin
Contributor II

We saw this a bit more in the previous year with the Mid 2012 Macbook Pros on a 10.9 build. Not as much a slow log in but very slow to boot up. This year with the 10.10 builds the boot time seems to be faster on these Mid 2012 Macbook Pros. We do use Sophos. It certainly does slow the machine down a bit, but I'm not sure that it was the culprit of the slow boot times. We have a lot of the Mid 2012 Macbook Pros in our fleet. Part of the reason for that was that many of our users did not want to give up DVD drives. Adding external Superdrives would have been cost prohibitive. @CasperSally is it easy to delay the login agent ?

Chris_Hafner
Valued Contributor II

We are also using Sophos Cloud. We have a high population for Mid-2012 MacBook Pros (13") with spinning platter HDDs. Overall boot (from an unpowered state) is about 2 min. In my experience Yosemite just seems to take that long. These times are compatible to those machines running plain ol' 10.10.5. LOTs of things changed with Yosemite, especially with the 10.10.4/5 updates. However, log in times are pretty quick. That said, our users accounts are local and NOT bound to AD.

apizz
Valued Contributor

So the theme appears to be that slow login with Sophos AV is normal on spinning hard drive MBPs. But no one thus far has mentioned anything in terms of poor performance while actively using the machine with Sophos installed and spinning drives ...

Chris_Hafner
Valued Contributor II

@aporlebeke Sorry, to clarify my last post. Yosemite itself seems to take a long time (~2min) to boot in most configurations on the platter based HDDs I've tested. Login is rather quick, even with Sophos installed but NOT bound to AD.

apizz
Valued Contributor

So, @Chris_Hafner, boot takes a while, login is fast, but performance is normal?

Do you have any special policies / settings on your Sophos server, or particular things turned off?

Chris_Hafner
Valued Contributor II

Yep. Boot takes a while, login is fast and performance is mostly normal (i.e. the new hibernate settings but that's a separate topic). As for Sophos... no, it's a super standard cloud instance running at default settings. I am installing Sophos using their recommended methods for distributing during imaging... which, I'll admit I am a little skeptical about. There are a number of posts including what I've ended up using here:
https://jamfnation.jamfsoftware.com/discussion.html?id=12348

In short, I'm installing Sophos on a target machine, moving and renaming the configuration file to a location to be reused AFTER a unit is imaged, then deleting the associated security keychain and packaging what's left. I'm planning on digging into a number of new keychain related topics later given some weird user template behavior I'm seeing in 10.10.5. But I digress... the install method is pretty much the reverse. Install the .dmg, move the configuration file back into place and restart the

I have found, that the SophosEndpoint is registering as it's own user though. I'm not sure if this is the way it is "supposed" to function. I'll admit that I'm a little worried that it's related to how I've re-established the user keychain based on Sophos' own guide. Yet, performance still seems to be OK. The only things I'm really noticing at the moment is it sometimes wrecks havoc on files users drag manually out of old, non-associated Time Machine backups.

apizz
Valued Contributor

We've been troubleshooting with Sophos for a few months now and I wanted to report where we're at.

After a lot of back and forth, we finally got put in touch with Sophos engineers in the UK. They admitted there are known issues with Sophos running on hardware with only 2GB of RAM. However, this doesn't apply to us as all our machines have 4GB.

At the moment, there is also a particularly large AV file that Sophos has to load beginning at computer startup. Rather than having each separate Sophos process pulling from the same loaded resources from the AV file, each process currently has to access and load the file separately, which could contribute to the longer-than-normal login times after rebooting. However, in our situation when we tested waiting 1, 2, even 3 minutes at the login screen to see if we'd notice faster login times if the computer had already loaded this AV file, we did not notice any significant improvements in the overall login time after the computer had been rebooted. Sophos is apparently working to address both of these issues in a later release, but as of now does not have a release date.

So unfortunately all we've been able to determine is that the longest login times with Sophos installed for a new user is after reboot on a Macbook Pro with a spinning hard drive at 2 to 2:30 minutes. While shorter, we still get login times of 45 seconds to 1:15 minutes for returning users on the same computer after it's been rebooted. All things constant with the image & installed software, removing Sophos does notably reduce login times for new and returning users after the computer has been rebooted.